@blamejs/core 0.9.19 → 0.9.20

package/lib/guard-mail-query.js

@@ -0,0 +1,296 @@
+"use strict";
+/**
+ * @module     b.guardMailQuery
+ * @nav        Guards
+ * @title      Guard Mail Query
+ * @order      430
+ *
+ * @intro
+ *   Search / fetch / changes filter validator for `b.mail.agent`. Refuses
+ *   filter shapes that can't safely cross the worker-thread or queue
+ *   boundary (functions, regex objects with state, Date objects with
+ *   non-finite values, cycles), enforces a projection-column allowlist
+ *   against the mail-store schema, and pins the per-actor fields that
+ *   the active compliance posture requires (HIPAA → `purposeOfUse`;
+ *   PCI-DSS → `pciScope`; GDPR → `lawfulBasis`).
+ *
+ *   Composes `b.guardJson` (via `validate(JSON.stringify(filter))`-shape
+ *   guard) at the structural level and adds mail-specific rules: the
+ *   filter is recursively walked once with a depth cap, no operator
+ *   key is allowed outside the documented set, and any field-name
+ *   used as a comparator key must be in `FILTERABLE_COLUMNS`.
+ *
+ * @card
+ *   Validates `b.mail.agent.search` / `Email/query` filter specs.
+ *   Pure-data only (no functions / regex), bounded depth, projection
+ *   allowlist, posture-required actor fields.
+ */
+
+var { defineClass } = require("./framework-error");
+
+var GuardMailQueryError = defineClass("GuardMailQueryError", { alwaysPermanent: true });
+
+var DEFAULT_PROFILE = "strict";
+
+var PROFILES = Object.freeze({
+  strict:     { maxDepth: 8,  maxKeys: 64,  maxStringBytes: 8192,  maxArrayLen: 256 },                // allow:raw-byte-literal — caps for filter spec
+  balanced:   { maxDepth: 16, maxKeys: 128, maxStringBytes: 16384, maxArrayLen: 1024 },               // allow:raw-byte-literal
+  permissive: { maxDepth: 24, maxKeys: 512, maxStringBytes: 65536, maxArrayLen: 4096 },               // allow:raw-byte-literal
+});
+
+var COMPLIANCE_POSTURES = Object.freeze({
+  hipaa:     "strict",
+  "pci-dss": "strict",
+  gdpr:      "strict",
+  soc2:      "strict",
+});
+
+// Columns the filter may reference and the projection may request.
+// Sealed columns can be `=` / `IN` matched (the mail-store walks
+// derivedHashes for the equality form); range / LIKE matches are only
+// allowed against plaintext columns.
+var FILTERABLE_COLUMNS = Object.freeze({
+  objectid:       { kind: "plaintext", ops: ["eq", "in"] },
+  modseq:         { kind: "plaintext", ops: ["eq", "gt", "lt", "ge", "le", "in"] },
+  internal_date:  { kind: "plaintext", ops: ["eq", "gt", "lt", "ge", "le"] },
+  received_at:    { kind: "plaintext", ops: ["eq", "gt", "lt", "ge", "le"] },
+  size_bytes:     { kind: "plaintext", ops: ["eq", "gt", "lt", "ge", "le"] },
+  thread_root_id: { kind: "plaintext", ops: ["eq", "in"] },
+  legal_hold:     { kind: "plaintext", ops: ["eq"] },
+  message_id:     { kind: "sealed",    ops: ["eq", "in"] },
+  from_addr:      { kind: "sealed",    ops: ["eq", "in"] },
+  subject:        { kind: "sealed",    ops: ["eq"] },
+  flag:           { kind: "join",      ops: ["eq", "in"] },
+});
+
+var ALLOWED_OPS = Object.freeze({
+  eq: true, in: true, gt: true, lt: true, ge: true, le: true,
+  and: true, or: true, not: true,
+});
+
+// Per-posture actor required fields. Operator must supply these on the
+// agent actor object for any read/write op under the matching posture
+// — refused otherwise.
+var POSTURE_ACTOR_FIELDS = Object.freeze({
+  hipaa:     ["purposeOfUse"],
+  "pci-dss": ["pciScope"],
+  gdpr:      ["lawfulBasis"],
+  soc2:      [],
+});
+
+/**
+ * @primitive b.guardMailQuery.validate
+ * @signature b.guardMailQuery.validate(filter, opts?)
+ * @since     0.9.20
+ * @status    stable
+ * @related   b.guardMailQuery.validateActor, b.mail.agent.create
+ *
+ * Validate a filter spec. Returns the input on success; throws
+ * `GuardMailQueryError` on refusal.
+ *
+ * @opts
+ *   profile:    "strict" | "balanced" | "permissive",   // default "strict"
+ *   posture:    "hipaa" | "pci-dss" | "gdpr" | "soc2",  // pins strict
+ *   project:    Array<string>,                           // projection columns
+ *
+ * @example
+ *   b.guardMailQuery.validate({ and: [{ modseq: { gt: 0 } }, { flag: { eq: "\\Seen" } }] });
+ */
+function validate(filter, opts) {
+  opts = opts || {};
+  var profile = PROFILES[_resolveProfile(opts)];
+  if (filter === undefined || filter === null) {
+    throw new GuardMailQueryError("mail-query/empty",
+      "guardMailQuery.validate: filter required");
+  }
+  if (typeof filter !== "object" || Array.isArray(filter)) {
+    throw new GuardMailQueryError("mail-query/bad-input",
+      "guardMailQuery.validate: filter must be a plain object");
+  }
+  _walk(filter, 0, profile, new Set());
+
+  if (opts.project) {
+    if (!Array.isArray(opts.project)) {
+      throw new GuardMailQueryError("mail-query/bad-project",
+        "guardMailQuery.validate: opts.project must be an array");
+    }
+    for (var i = 0; i < opts.project.length; i += 1) {
+      var col = opts.project[i];
+      if (typeof col !== "string" || !Object.prototype.hasOwnProperty.call(FILTERABLE_COLUMNS, col)) {
+        throw new GuardMailQueryError("mail-query/bad-projection-column",
+          "guardMailQuery.validate: column '" + col + "' not in projection allowlist");
+      }
+    }
+  }
+  return filter;
+}
+
+/**
+ * @primitive b.guardMailQuery.validateActor
+ * @signature b.guardMailQuery.validateActor(actor, posture?)
+ * @since     0.9.20
+ * @status    stable
+ * @related   b.guardMailQuery.validate
+ *
+ * Validate that `actor` carries the per-posture required fields.
+ * Returns `actor` on success; throws on missing field.
+ *
+ * @example
+ *   b.guardMailQuery.validateActor({ id: "u1", roles: ["clinician"], purposeOfUse: "TREATMENT" }, "hipaa");
+ */
+function validateActor(actor, posture) {
+  if (!actor || typeof actor !== "object") {
+    throw new GuardMailQueryError("mail-query/no-actor",
+      "guardMailQuery.validateActor: actor required");
+  }
+  if (typeof actor.id !== "string" || actor.id.length === 0) {
+    throw new GuardMailQueryError("mail-query/bad-actor",
+      "guardMailQuery.validateActor: actor.id must be a non-empty string");
+  }
+  if (posture && POSTURE_ACTOR_FIELDS[posture]) {
+    var required = POSTURE_ACTOR_FIELDS[posture];
+    for (var i = 0; i < required.length; i += 1) {
+      var f = required[i];
+      if (typeof actor[f] !== "string" || actor[f].length === 0) {
+        throw new GuardMailQueryError("mail-query/missing-posture-field",
+          "guardMailQuery.validateActor: posture '" + posture + "' requires actor." + f);
+      }
+    }
+  }
+  return actor;
+}
+
+/**
+ * @primitive b.guardMailQuery.compliancePosture
+ * @signature b.guardMailQuery.compliancePosture(posture)
+ * @since     0.9.20
+ * @status    stable
+ *
+ * Return the effective profile for a given compliance posture name.
+ * Returns `null` when the posture is unknown (operator-supplied typos
+ * surface here instead of silently falling back to the default).
+ *
+ * @example
+ *   b.guardMailQuery.compliancePosture("hipaa");   // → "strict"
+ */
+function compliancePosture(posture) {
+  return COMPLIANCE_POSTURES[posture] || null;
+}
+
+function _walk(node, depth, profile, visited) {
+  if (depth > profile.maxDepth) {
+    throw new GuardMailQueryError("mail-query/depth",
+      "guardMailQuery.validate: filter depth exceeds maxDepth=" + profile.maxDepth);
+  }
+  if (node === null || typeof node !== "object") {
+    _checkScalar(node, profile);
+    return;
+  }
+  if (typeof node === "function") {
+    throw new GuardMailQueryError("mail-query/function-not-allowed",
+      "guardMailQuery.validate: functions refused (filter must be pure data)");
+  }
+  if (node instanceof RegExp) {
+    throw new GuardMailQueryError("mail-query/regex-not-allowed",
+      "guardMailQuery.validate: RegExp refused (use { like: ... } string predicate)");
+  }
+  if (node instanceof Date) {
+    if (!isFinite(node.getTime())) {
+      throw new GuardMailQueryError("mail-query/bad-date",
+        "guardMailQuery.validate: invalid Date");
+    }
+    return;
+  }
+  if (Buffer.isBuffer(node)) {
+    throw new GuardMailQueryError("mail-query/buffer-not-allowed",
+      "guardMailQuery.validate: Buffer refused inside filter");
+  }
+  if (visited.has(node)) {
+    throw new GuardMailQueryError("mail-query/cycle",
+      "guardMailQuery.validate: cyclic filter refused");
+  }
+  visited.add(node);
+
+  if (Array.isArray(node)) {
+    if (node.length > profile.maxArrayLen) {
+      throw new GuardMailQueryError("mail-query/array-too-long",
+        "guardMailQuery.validate: array length " + node.length + " exceeds " + profile.maxArrayLen);
+    }
+    for (var i = 0; i < node.length; i += 1) {
+      _walk(node[i], depth + 1, profile, visited);
+    }
+    return;
+  }
+
+  var keys = Object.keys(node);
+  if (keys.length > profile.maxKeys) {
+    throw new GuardMailQueryError("mail-query/too-many-keys",
+      "guardMailQuery.validate: " + keys.length + " keys exceeds maxKeys=" + profile.maxKeys);
+  }
+  for (var ki = 0; ki < keys.length; ki += 1) {
+    var k = keys[ki];
+    if (k === "__proto__" || k === "constructor" || k === "prototype") {
+      throw new GuardMailQueryError("mail-query/proto-key",
+        "guardMailQuery.validate: forbidden key '" + k + "'");
+    }
+    var isOp = Object.prototype.hasOwnProperty.call(ALLOWED_OPS, k);
+    var isCol = Object.prototype.hasOwnProperty.call(FILTERABLE_COLUMNS, k);
+    if (!isOp && !isCol) {
+      throw new GuardMailQueryError("mail-query/unknown-key",
+        "guardMailQuery.validate: key '" + k + "' not an allowed operator or column");
+    }
+    _walk(node[k], depth + 1, profile, visited);
+  }
+}
+
+function _checkScalar(v, profile) {
+  if (typeof v === "string") {
+    if (Buffer.byteLength(v, "utf8") > profile.maxStringBytes) {
+      throw new GuardMailQueryError("mail-query/string-too-long",
+        "guardMailQuery.validate: string exceeds maxStringBytes=" + profile.maxStringBytes);
+    }
+    return;
+  }
+  if (typeof v === "number") {
+    if (!isFinite(v)) {
+      throw new GuardMailQueryError("mail-query/bad-number",
+        "guardMailQuery.validate: non-finite number refused");
+    }
+    return;
+  }
+  if (typeof v === "boolean") return;
+  if (v === null) return;
+  if (typeof v === "undefined") {
+    throw new GuardMailQueryError("mail-query/undefined-not-allowed",
+      "guardMailQuery.validate: undefined refused");
+  }
+  if (typeof v === "symbol" || typeof v === "bigint" || typeof v === "function") {
+    throw new GuardMailQueryError("mail-query/bad-scalar",
+      "guardMailQuery.validate: scalar type " + typeof v + " refused");
+  }
+}
+
+function _resolveProfile(opts) {
+  if (opts.posture && COMPLIANCE_POSTURES[opts.posture]) {
+    return COMPLIANCE_POSTURES[opts.posture];
+  }
+  var p = opts.profile || DEFAULT_PROFILE;
+  if (!PROFILES[p]) {
+    throw new GuardMailQueryError("mail-query/bad-profile",
+      "guardMailQuery: unknown profile '" + p + "'");
+  }
+  return p;
+}
+
+module.exports = {
+  validate:            validate,
+  validateActor:       validateActor,
+  compliancePosture:   compliancePosture,
+  PROFILES:            PROFILES,
+  COMPLIANCE_POSTURES: COMPLIANCE_POSTURES,
+  FILTERABLE_COLUMNS:  FILTERABLE_COLUMNS,
+  POSTURE_ACTOR_FIELDS: POSTURE_ACTOR_FIELDS,
+  GuardMailQueryError: GuardMailQueryError,
+  NAME:                "mailQuery",
+  KIND:                "mail-query",
+};

package/lib/guard-mail-reply.js

@@ -0,0 +1,172 @@
+"use strict";
+/**
+ * @module     b.guardMailReply
+ * @nav        Guards
+ * @title      Guard Mail Reply
+ * @order      432
+ *
+ * @intro
+ *   Reply-thread shape validator for `b.mail.agent.reply` /
+ *   `b.mail.agent.forward`. Composes `b.guardMessageId` (v0.9.19) for
+ *   each Message-Id in the chain and adds reply-specific rules:
+ *
+ *     - References-chain cap — `maxChainLength` (default 100) defends
+ *       infinite-loop forwards and References-bomb DoS
+ *     - In-Reply-To continuity — when both `inReplyTo` and `references`
+ *       are supplied, the last element of References must match
+ *       In-Reply-To (RFC 5322 §3.6.4)
+ *     - Quoted-original byte cap — when `quotedOriginal` is set, the
+ *       byte cap defends pathological reply-of-reply chains that grow
+ *       linearly with each hop
+ *     - Forwarded-attachment cardinality — forwards may include the
+ *       original's attachments by reference; cap at `maxForwardedAttachments`
+ *       (default 32) to prevent attachment-bomb forwards
+ *
+ * @card
+ *   Validates reply / forward shape. References-chain cap (defends
+ *   infinite-loop forwards), In-Reply-To continuity (RFC 5322 §3.6.4),
+ *   quoted-original byte cap.
+ */
+
+var { defineClass } = require("./framework-error");
+var guardMessageId = require("./guard-message-id");
+
+var GuardMailReplyError = defineClass("GuardMailReplyError", { alwaysPermanent: true });
+
+var DEFAULT_PROFILE = "strict";
+
+var PROFILES = Object.freeze({
+  strict:     { maxChainLength: 100,  maxQuotedBytes: 524288,   maxForwardedAttachments: 32 },        // allow:raw-byte-literal — chain count + 512 KiB
+  balanced:   { maxChainLength: 500,  maxQuotedBytes: 2097152,  maxForwardedAttachments: 128 },       // allow:raw-byte-literal — chain count + 2 MiB
+  permissive: { maxChainLength: 2000, maxQuotedBytes: 10485760, maxForwardedAttachments: 512 },       // allow:raw-byte-literal — chain count + 10 MiB
+});
+
+var COMPLIANCE_POSTURES = Object.freeze({
+  hipaa:     "strict",
+  "pci-dss": "strict",
+  gdpr:      "strict",
+  soc2:      "strict",
+});
+
+/**
+ * @primitive b.guardMailReply.validate
+ * @signature b.guardMailReply.validate(reply, opts?)
+ * @since     0.9.20
+ * @status    stable
+ * @related   b.guardMessageId, b.guardMailCompose
+ *
+ * Validate a reply / forward envelope. `reply.inReplyTo` is the
+ * Message-Id of the parent; `reply.references` is the chain (oldest
+ * first); `reply.quotedOriginal` is the optional included original
+ * body (already redacted by the caller — guard validates byte cap
+ * only, not content).
+ *
+ * @opts
+ *   profile:   "strict" | "balanced" | "permissive",
+ *   posture:   "hipaa" | "pci-dss" | "gdpr" | "soc2",
+ *
+ * @example
+ *   b.guardMailReply.validate({
+ *     inReplyTo:  "<a@x>",
+ *     references: ["<root@x>", "<a@x>"],
+ *   });
+ */
+function validate(reply, opts) {
+  opts = opts || {};
+  var profile = PROFILES[_resolveProfile(opts)];
+  if (!reply || typeof reply !== "object") {
+    throw new GuardMailReplyError("mail-reply/bad-input",
+      "guardMailReply.validate: reply required");
+  }
+  if (typeof reply.inReplyTo !== "string" || reply.inReplyTo.length === 0) {
+    throw new GuardMailReplyError("mail-reply/no-in-reply-to",
+      "guardMailReply.validate: inReplyTo required");
+  }
+  guardMessageId.validate(reply.inReplyTo, { profile: "strict" });
+
+  if (typeof reply.references !== "undefined") {
+    if (!Array.isArray(reply.references)) {
+      throw new GuardMailReplyError("mail-reply/bad-references",
+        "guardMailReply.validate: references must be an array");
+    }
+    if (reply.references.length > profile.maxChainLength) {
+      throw new GuardMailReplyError("mail-reply/chain-too-long",
+        "guardMailReply.validate: chain length " + reply.references.length +
+        " exceeds maxChainLength=" + profile.maxChainLength);
+    }
+    for (var i = 0; i < reply.references.length; i += 1) {
+      guardMessageId.validate(reply.references[i], { profile: "strict" });
+    }
+    if (reply.references.length > 0) {
+      var last = reply.references[reply.references.length - 1];
+      if (last !== reply.inReplyTo) {
+        throw new GuardMailReplyError("mail-reply/discontinuity",
+          "guardMailReply.validate: last References '" + last +
+          "' does not match inReplyTo '" + reply.inReplyTo + "' (RFC 5322 §3.6.4)");
+      }
+    }
+  }
+
+  if (typeof reply.quotedOriginal !== "undefined") {
+    if (typeof reply.quotedOriginal !== "string") {
+      throw new GuardMailReplyError("mail-reply/bad-quoted",
+        "guardMailReply.validate: quotedOriginal must be a string");
+    }
+    if (Buffer.byteLength(reply.quotedOriginal, "utf8") > profile.maxQuotedBytes) {
+      throw new GuardMailReplyError("mail-reply/quoted-too-big",
+        "guardMailReply.validate: quotedOriginal exceeds maxQuotedBytes=" + profile.maxQuotedBytes);
+    }
+  }
+
+  if (typeof reply.forwardedAttachments !== "undefined") {
+    if (!Array.isArray(reply.forwardedAttachments)) {
+      throw new GuardMailReplyError("mail-reply/bad-fwd-attach",
+        "guardMailReply.validate: forwardedAttachments must be an array");
+    }
+    if (reply.forwardedAttachments.length > profile.maxForwardedAttachments) {
+      throw new GuardMailReplyError("mail-reply/too-many-fwd-attach",
+        "guardMailReply.validate: forwarded attachment count " +
+        reply.forwardedAttachments.length + " exceeds " + profile.maxForwardedAttachments);
+    }
+  }
+  return reply;
+}
+
+/**
+ * @primitive b.guardMailReply.compliancePosture
+ * @signature b.guardMailReply.compliancePosture(posture)
+ * @since     0.9.20
+ * @status    stable
+ *
+ * Return the effective profile for a given compliance posture name.
+ * Returns `null` for unknown posture names so operator typos surface
+ * here instead of silently falling through to the default profile.
+ *
+ * @example
+ *   b.guardMailReply.compliancePosture("hipaa");   // → "strict"
+ */
+function compliancePosture(posture) {
+  return COMPLIANCE_POSTURES[posture] || null;
+}
+
+function _resolveProfile(opts) {
+  if (opts.posture && COMPLIANCE_POSTURES[opts.posture]) {
+    return COMPLIANCE_POSTURES[opts.posture];
+  }
+  var p = opts.profile || DEFAULT_PROFILE;
+  if (!PROFILES[p]) {
+    throw new GuardMailReplyError("mail-reply/bad-profile",
+      "guardMailReply: unknown profile '" + p + "'");
+  }
+  return p;
+}
+
+module.exports = {
+  validate:            validate,
+  compliancePosture:   compliancePosture,
+  PROFILES:            PROFILES,
+  COMPLIANCE_POSTURES: COMPLIANCE_POSTURES,
+  GuardMailReplyError: GuardMailReplyError,
+  NAME:                "mailReply",
+  KIND:                "mail-reply",
+};

package/lib/guard-mail-sieve.js

@@ -0,0 +1,207 @@
+"use strict";
+/**
+ * @module     b.guardMailSieve
+ * @nav        Guards
+ * @title      Guard Mail Sieve
+ * @order      434
+ *
+ * @intro
+ *   Validator for `b.mail.agent.sieve.put` / `.activate`. The full
+ *   Sieve parser + bytecode + runtime lands at v0.9.26 as
+ *   `b.safeSieve`; this guard handles the agent-side actor + script-
+ *   envelope checks that apply BEFORE parsing:
+ *
+ *     - actor-scope check — only the owner of a script (or
+ *       `mailScope: "admin"`) may edit it
+ *     - script-byte cap — refuses scripts larger than `maxScriptBytes`
+ *       (default 65536 — same cap v0.9.26's `b.safeSieve` will use)
+ *     - script-name shape — RFC 5804 §2.3 script names are bounded
+ *       UTF-8; the guard enforces the byte cap (default 256) and
+ *       refuses NUL / control / slash / path-traversal shapes
+ *     - line-count cap — defends scripts that are technically under
+ *       the byte cap but pathological (one-character lines)
+ *
+ *   When v0.9.26 ships, `b.safeSieve.validate(script)` will be
+ *   invoked AFTER this guard — operators who want to bytecode-
+ *   validate at agent.sieve.put time pass `requireParse: true` and
+ *   the agent calls into v0.9.26's parser.
+ *
+ * @card
+ *   Validates `b.mail.agent.sieve` operations. Actor-scope check,
+ *   script-byte cap, name shape, line-count cap. Pre-parser checks
+ *   only — full Sieve parse lands at v0.9.26 (`b.safeSieve`).
+ */
+
+var { defineClass } = require("./framework-error");
+
+var GuardMailSieveError = defineClass("GuardMailSieveError", { alwaysPermanent: true });
+
+var DEFAULT_PROFILE = "strict";
+
+var PROFILES = Object.freeze({
+  strict:     { maxScriptBytes: 65536,   maxNameBytes: 256,  maxLines: 2000  },                       // allow:raw-byte-literal
+  balanced:   { maxScriptBytes: 262144,  maxNameBytes: 256,  maxLines: 10000 },                       // allow:raw-byte-literal
+  permissive: { maxScriptBytes: 1048576, maxNameBytes: 1024, maxLines: 50000 },                       // allow:raw-byte-literal
+});
+
+var COMPLIANCE_POSTURES = Object.freeze({
+  hipaa:     "strict",
+  "pci-dss": "strict",
+  gdpr:      "strict",
+  soc2:      "strict",
+});
+
+/**
+ * @primitive b.guardMailSieve.validate
+ * @signature b.guardMailSieve.validate(op, opts?)
+ * @since     0.9.20
+ * @status    stable
+ * @related   b.mail.agent.create
+ *
+ * Validate a sieve-management op shape. `op.kind` is one of `"put"` /
+ * `"activate"` / `"delete"`; `op.actor` carries the actor; for `"put"`
+ * the `op.name` and `op.script` are validated; for `"activate"` /
+ * `"delete"` only `op.name` is required.
+ *
+ * @opts
+ *   profile:   "strict" | "balanced" | "permissive",
+ *   posture:   "hipaa" | "pci-dss" | "gdpr" | "soc2",
+ *   ownedNames: Array<string>,    // names the actor owns (operator-supplied)
+ *
+ * @example
+ *   b.guardMailSieve.validate({
+ *     kind: "put",
+ *     actor: { id: "u1", mailScope: "user" },
+ *     name:  "my-filter",
+ *     script: "require [\"fileinto\"];\nif address :is \"From\" \"x@x\" { fileinto \"Junk\"; }",
+ *   }, { ownedNames: ["my-filter"] });
+ */
+function validate(op, opts) {
+  opts = opts || {};
+  var profile = PROFILES[_resolveProfile(opts)];
+  if (!op || typeof op !== "object") {
+    throw new GuardMailSieveError("mail-sieve/bad-input",
+      "guardMailSieve.validate: op required");
+  }
+  if (op.kind !== "put" && op.kind !== "activate" && op.kind !== "delete") {
+    throw new GuardMailSieveError("mail-sieve/bad-kind",
+      "guardMailSieve.validate: op.kind must be 'put' | 'activate' | 'delete'");
+  }
+  if (!op.actor || typeof op.actor !== "object" || typeof op.actor.id !== "string") {
+    throw new GuardMailSieveError("mail-sieve/no-actor",
+      "guardMailSieve.validate: op.actor with .id required");
+  }
+  _checkName(op.name, profile);
+
+  if (op.kind === "put") {
+    if (typeof op.script !== "string") {
+      throw new GuardMailSieveError("mail-sieve/bad-script",
+        "guardMailSieve.validate: op.script must be a string");
+    }
+    var bytes = Buffer.byteLength(op.script, "utf8");
+    if (bytes === 0) {
+      throw new GuardMailSieveError("mail-sieve/empty-script",
+        "guardMailSieve.validate: script must be non-empty");
+    }
+    if (bytes > profile.maxScriptBytes) {
+      throw new GuardMailSieveError("mail-sieve/script-too-big",
+        "guardMailSieve.validate: script " + bytes + " bytes exceeds maxScriptBytes=" +
+        profile.maxScriptBytes);
+    }
+    // Line-count cap (a one-byte-line bomb stays under maxScriptBytes
+    // but blows up later parser stages; refuse here).
+    var lineCount = 1;
+    for (var i = 0; i < op.script.length; i += 1) {
+      if (op.script.charCodeAt(i) === 0x0A) lineCount += 1;                                           // allow:raw-byte-literal — LF
+    }
+    if (lineCount > profile.maxLines) {
+      throw new GuardMailSieveError("mail-sieve/too-many-lines",
+        "guardMailSieve.validate: " + lineCount + " lines exceeds maxLines=" + profile.maxLines);
+    }
+    // Control-char refusal in script (NUL is always refused; other
+    // C0 except CR/LF/TAB are refused too — Sieve scripts are
+    // text-only per RFC 5228 §1.4).
+    for (var j = 0; j < op.script.length; j += 1) {
+      var c = op.script.charCodeAt(j);
+      if (c === 0x00 || (c < 0x20 && c !== 0x09 && c !== 0x0A && c !== 0x0D) || c === 0x7F) {         // allow:raw-byte-literal — NUL / C0 except TAB/LF/CR / DEL refusal
+        throw new GuardMailSieveError("mail-sieve/control-char-in-script",
+          "guardMailSieve.validate: control char 0x" + c.toString(16) + " at offset " + j);
+      }
+    }
+  }
+
+  // Actor-scope check — non-admin actors may only edit / activate /
+  // delete scripts whose name is in their owned-names list. Operator
+  // supplies the list via opts.ownedNames (looked up from RBAC table).
+  var isAdmin = op.actor.mailScope === "admin";
+  if (!isAdmin) {
+    var owned = Array.isArray(opts.ownedNames) ? opts.ownedNames : [];
+    if (owned.indexOf(op.name) < 0) {
+      throw new GuardMailSieveError("mail-sieve/not-owner",
+        "guardMailSieve.validate: actor does not own script '" + op.name +
+        "' (use mailScope:'admin' or supply opts.ownedNames)");
+    }
+  }
+  return op;
+}
+
+/**
+ * @primitive b.guardMailSieve.compliancePosture
+ * @signature b.guardMailSieve.compliancePosture(posture)
+ * @since     0.9.20
+ * @status    stable
+ *
+ * Return the effective profile for a given compliance posture name.
+ * Returns `null` for unknown posture names so operator typos surface
+ * here instead of silently falling through to the default profile.
+ *
+ * @example
+ *   b.guardMailSieve.compliancePosture("hipaa");   // → "strict"
+ */
+function compliancePosture(posture) {
+  return COMPLIANCE_POSTURES[posture] || null;
+}
+
+function _checkName(name, profile) {
+  if (typeof name !== "string" || name.length === 0) {
+    throw new GuardMailSieveError("mail-sieve/bad-name",
+      "guardMailSieve.validate: op.name must be a non-empty string");
+  }
+  if (Buffer.byteLength(name, "utf8") > profile.maxNameBytes) {
+    throw new GuardMailSieveError("mail-sieve/name-too-long",
+      "guardMailSieve.validate: op.name exceeds maxNameBytes=" + profile.maxNameBytes);
+  }
+  if (name.indexOf("..") >= 0) {
+    throw new GuardMailSieveError("mail-sieve/path-traversal",
+      "guardMailSieve.validate: op.name contains '..'");
+  }
+  for (var i = 0; i < name.length; i += 1) {
+    var c = name.charCodeAt(i);
+    if (c < 0x20 || c === 0x7F || c === 0x2F || c === 0x5C) {                                         // allow:raw-byte-literal — C0 / DEL / slash / backslash refusal
+      throw new GuardMailSieveError("mail-sieve/bad-name-char",
+        "guardMailSieve.validate: op.name contains forbidden char 0x" + c.toString(16));
+    }
+  }
+}
+
+function _resolveProfile(opts) {
+  if (opts.posture && COMPLIANCE_POSTURES[opts.posture]) {
+    return COMPLIANCE_POSTURES[opts.posture];
+  }
+  var p = opts.profile || DEFAULT_PROFILE;
+  if (!PROFILES[p]) {
+    throw new GuardMailSieveError("mail-sieve/bad-profile",
+      "guardMailSieve: unknown profile '" + p + "'");
+  }
+  return p;
+}
+
+module.exports = {
+  validate:            validate,
+  compliancePosture:   compliancePosture,
+  PROFILES:            PROFILES,
+  COMPLIANCE_POSTURES: COMPLIANCE_POSTURES,
+  GuardMailSieveError: GuardMailSieveError,
+  NAME:                "mailSieve",
+  KIND:                "mail-sieve",
+};